ardent-cli 0.0.35 → 0.0.37

package/dist/index.js

@@ -740,11 +740,9 @@ function diffAction() {
   console.error(
     `${red}error:${reset2} \`ardent branch diff\` has been removed.
 
-The underlying CDC service (branching-replay-service + StarRocks) was
-deprecated in favour of pgstream. A pgstream-backed diff view is on the
-roadmap but not yet shipped.
+A replacement is on the roadmap.
 
-${yellow}If you need the current state of a branch:${reset2} \`ardent branch info <name>\`
+${yellow}To view the current state of a branch:${reset2} \`ardent branch info <name>\`
 `
   );
   process.exit(2);
@@ -798,6 +796,31 @@ function printDegradedWarnings(warnings) {
   console.log("  Review this connector with: ardent connector list");
 }
 
+// src/lib/connector_status_display.ts
+var ENGINE_STATUS_DISPLAY = {
+  healthy: "ready",
+  degraded: "ready (with warnings)",
+  configuration_verified: "setup pending",
+  configuration_failed: "configuration check failed",
+  validating: "validation in progress",
+  failed_validation: "validation failed",
+  unhealthy: "unhealthy",
+  unchecked: "not yet configured"
+};
+var CONNECTION_STATUS_DISPLAY = {
+  connected: "connected",
+  failed: "connection failed",
+  unknown: "unknown"
+};
+function engineStatusDisplay(status) {
+  if (!status) return "not ready";
+  return ENGINE_STATUS_DISPLAY[status] ?? "not ready";
+}
+function connectorStatusDisplay(status) {
+  if (!status) return "unknown";
+  return CONNECTION_STATUS_DISPLAY[status] ?? ENGINE_STATUS_DISPLAY[status] ?? "not ready";
+}
+
 // src/lib/engine_setup_result.ts
 var SUCCESS_ENGINE_STATUSES = /* @__PURE__ */ new Set(["healthy", "degraded"]);
 var RETRYABLE_ENGINE_STATUSES = /* @__PURE__ */ new Set(["configuration_verified"]);
@@ -836,23 +859,63 @@ function assertEngineSetupCompleted(operation, connectorName) {
     throw new EngineSetupTerminalStatusError(
       "retryable_engine_status",
       engineStatus,
-      `Engine setup needs retry (status: ${engineStatus}). Run \`ardent connector retry-setup ${connectorName}\` to retry, or \`ardent connector list\` to inspect connector state first.`
+      `Engine setup needs retry (${engineStatusDisplay(engineStatus)}). Run \`ardent connector retry-setup ${connectorName}\` to retry, or \`ardent connector list\` to inspect connector state first.`
     );
   }
   if (FAILED_ENGINE_STATUSES.has(engineStatus)) {
     throw new EngineSetupTerminalStatusError(
       "failed_engine_status",
       engineStatus,
-      `Engine setup failed (status: ${engineStatus}). Run \`ardent connector list\` to inspect connector state.`
+      `Engine setup failed (${engineStatusDisplay(engineStatus)}). Run \`ardent connector list\` to inspect connector state.`
     );
   }
   throw new EngineSetupTerminalStatusError(
     "unexpected_engine_status",
     engineStatus,
-    `Engine setup completed with unexpected status: ${engineStatus}.`
+    "Engine setup completed in an unexpected state. Contact Ardent support."
   );
 }
 
+// src/lib/operation_stage_display.ts
+var STAGE_DISPLAY = {
+  // engine_setup_worker / postgres_engine_setup
+  "dispatched": "Starting",
+  "preparing": "Preparing",
+  "creating-neon-project": "Provisioning the branch target",
+  "preparing-target-databases": "Preparing target databases",
+  "deploying-pgstream": "Starting replication",
+  "applying-rls": "Applying RLS policies",
+  "storing-credentials": "Storing connection credentials",
+  "validating": "Validating the branch target",
+  // reset_worker / reset_connector
+  "resetting": "Resetting",
+  "deleting-pgstream": "Stopping replication",
+  "rediscovering-source": "Re-checking the source database",
+  "resetting-neon-main": "Resetting the branch target",
+  "creating-target-schemas": "Recreating target schemas",
+  "redeploying-pgstream": "Restarting replication",
+  // environment deploy_worker
+  "loading_config": "Loading environment configuration",
+  "deploying_infrastructure": "Provisioning environment infrastructure",
+  "recording_success": "Finalizing environment",
+  "cleaning_failed_deploy": "Cleaning up failed environment provisioning",
+  // environment destroy_worker
+  "deleting_private_links": "Removing private network links",
+  "destroying_infrastructure": "Tearing down environment infrastructure",
+  "recording_destroy_success": "Finalizing environment teardown"
+};
+function humanizeRawStage(_raw) {
+  return "Working";
+}
+function operationStageDisplay(stage) {
+  if (!stage) return "Working";
+  const colonIndex = stage.indexOf(":");
+  const base = colonIndex === -1 ? stage : stage.slice(0, colonIndex);
+  const suffix = colonIndex === -1 ? "" : stage.slice(colonIndex + 1);
+  const label = STAGE_DISPLAY[base] ?? humanizeRawStage(base);
+  return suffix ? `${label} (for ${suffix})` : label;
+}
+
 // src/lib/engine_setup.ts
 var EngineSetupTimeoutError = class extends Error {
   constructor(message) {
@@ -904,7 +967,7 @@ async function runEngineSetupWithPolling(connectorId, connectorName) {
     }
     if (op.stage && op.stage !== lastStage) {
       const progressLabel = op.progress != null ? ` (${op.progress}%)` : "";
-      console.log(`  ${op.stage}${progressLabel}`);
+      console.log(`  ${operationStageDisplay(op.stage)}${progressLabel}`);
       lastStage = op.stage;
     }
     if (op.status === "completed") {
@@ -919,7 +982,7 @@ async function runEngineSetupWithPolling(connectorId, connectorName) {
     }
   }
   throw new EngineSetupTimeoutError(
-    `Engine setup did not complete within ${maxWaitMs / 6e4} minutes. Setup may still be running server-side \u2014 do NOT delete the connector. Check status with: ardent connector list (operation ${operationId})`
+    `Engine setup did not complete within ${maxWaitMs / 6e4} minutes. Setup may still be running server-side \u2014 do NOT delete the connector. Check status with: ardent connector list. If you contact Ardent support, reference operation id ${operationId}.`
   );
 }
 
@@ -1258,7 +1321,9 @@ function logSubmissionDisallowed() {
   console.error(
     "  Wait for the current setup attempt to finish, then retry setup if the connector still shows setup pending."
   );
-  console.error("  Contact Ardent support if the connector stays validating.");
+  console.error(
+    "  Contact Ardent support if the connector's setup does not progress within a few minutes."
+  );
 }
 function logNonInteractiveRequired(decisionsNeeded) {
   const noun = decisionsNeeded === 1 ? "table" : "tables";
@@ -1462,7 +1527,7 @@ async function promptForUnsupportedExtensions(connectorId, unsupported, alreadyP
     await api.put(`/v1/connectors/${connectorId}`, {
       drop_extensions: merged2
     });
-    console.log(`\u2713 Saved drop selection: ${merged2.join(", ")}`);
+    console.log(`\u2713 Saved extension exclusions: ${merged2.join(", ")}`);
     return "applied";
   }
   console.log(
@@ -1489,7 +1554,7 @@ async function promptForUnsupportedExtensions(connectorId, unsupported, alreadyP
   await api.put(`/v1/connectors/${connectorId}`, {
     drop_extensions: merged
   });
-  console.log(`\u2713 Saved drop selection: ${merged.join(", ")}`);
+  console.log(`\u2713 Saved extension exclusions: ${merged.join(", ")}`);
   return "applied";
 }
 function printUnloggedTablesPreflight(preflight) {
@@ -1845,7 +1910,7 @@ async function listAction2() {
     if (render.kind === "engine_pending") enginePendingCount += 1;
     const warnings = connector.warnings ?? [];
     const warningSuffix = warnings.length > 0 ? `  ${yellow}\u26A0 ${warnings.length}${reset2}` : "";
-    const statusSuffix = render.kind === "ready" ? "" : `  ${render.color}[${connector.status}]${reset2}`;
+    const statusSuffix = render.kind === "ready" ? "" : `  ${render.color}[${connectorStatusDisplay(connector.status)}]${reset2}`;
     const nameLine = isCurrent ? `${green2}* ${render.color}${render.icon}${green2} ${connector.name}${reset2}${warningSuffix}${statusSuffix}` : `  ${render.color}${render.icon}${reset2} ${connector.name}${warningSuffix}${statusSuffix}`;
     console.log(nameLine);
     if (isCurrent) {
@@ -2862,6 +2927,964 @@ async function removeAction2(key) {
   }
 }
 
+// src/lib/supabase_link.ts
+import { execFileSync } from "child_process";
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync2, rmSync } from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname, join as join2 } from "path";
+var CONFIG_DIR2 = join2(homedir2(), ".ardent");
+var STATE_DIR = join2(CONFIG_DIR2, "supabase-links");
+var ORIGINAL_SUFFIX = "-ardent-original";
+var SERVICE_SUFFIXES = ["rest", "auth", "storage", "realtime", "pg_meta"];
+var DOCKER_HOST_GATEWAY = "host.docker.internal";
+var REALTIME_LIST_CHANGES_MIGRATION_VERSION = "20230328144023";
+var SENSITIVE_DOCKER_ENV_KEYS = /* @__PURE__ */ new Set([
+  "DATABASE_URL",
+  "DB_PASSWORD",
+  "GOTRUE_DB_DATABASE_URL",
+  "PG_META_DB_PASSWORD",
+  "PGRST_DB_URI",
+  "PGPASSWORD"
+]);
+function redactDockerArgs(args2) {
+  return args2.map((arg) => {
+    const separatorIndex = arg.indexOf("=");
+    if (separatorIndex === -1) {
+      return arg;
+    }
+    const key = arg.slice(0, separatorIndex);
+    if (SENSITIVE_DOCKER_ENV_KEYS.has(key)) {
+      return `${key}=***`;
+    }
+    return arg;
+  });
+}
+function redactDockerErrorMessage(message) {
+  let redactedMessage = message.replace(
+    /(postgres(?:ql)?:\/\/[^:\s/]+:)[^@\s]+@/g,
+    "$1***@"
+  );
+  for (const key of SENSITIVE_DOCKER_ENV_KEYS) {
+    redactedMessage = redactedMessage.replace(
+      new RegExp(`${key}=[^\\s]+`, "g"),
+      `${key}=***`
+    );
+  }
+  return redactedMessage;
+}
+function runDocker(args2, options = {}) {
+  try {
+    return execFileSync("docker", args2, {
+      encoding: "utf-8",
+      stdio: options.stdio ?? "pipe"
+    }).trim();
+  } catch (error) {
+    if (error instanceof Error) {
+      throw new Error(
+        `Docker command failed: docker ${redactDockerArgs(args2).join(" ")}
+${redactDockerErrorMessage(error.message)}`
+      );
+    }
+    throw error;
+  }
+}
+function runDockerWithInput(args2, input, options = {}) {
+  try {
+    return execFileSync("docker", args2, {
+      encoding: "utf-8",
+      input,
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: options.timeoutMs
+    }).trim();
+  } catch (error) {
+    if (error instanceof Error) {
+      throw new Error(
+        `Docker command failed: docker ${redactDockerArgs(args2).join(" ")}
+${redactDockerErrorMessage(error.message)}`
+      );
+    }
+    throw error;
+  }
+}
+function dockerExists(name) {
+  const output = runDocker(["ps", "-a", "--format", "{{.Names}}"]);
+  return output.split("\n").includes(name);
+}
+function inspectContainer(name) {
+  const output = runDocker(["inspect", name]);
+  const parsed = JSON.parse(output);
+  if (parsed.length !== 1) {
+    throw new Error(`Expected one Docker container named ${name}`);
+  }
+  return parsed[0];
+}
+function containerIpAddress(name, network) {
+  const container = inspectContainer(name);
+  const networkState = container.NetworkSettings.Networks[network];
+  const ipAddress = networkState?.IPAddress;
+  if (!ipAddress) {
+    throw new Error(`Container ${name} is not attached to network ${network}`);
+  }
+  return ipAddress;
+}
+function statePath(projectId) {
+  return join2(STATE_DIR, `${projectId.replace(/[^A-Za-z0-9_.-]/g, "_")}.json`);
+}
+function readState(projectId) {
+  const path = statePath(projectId);
+  if (!existsSync2(path)) {
+    return void 0;
+  }
+  return JSON.parse(readFileSync5(path, "utf-8"));
+}
+function writeState(state) {
+  mkdirSync2(dirname(statePath(state.projectId)), { recursive: true });
+  writeFileSync2(statePath(state.projectId), JSON.stringify(state, null, 2));
+}
+function deleteState(projectId) {
+  const path = statePath(projectId);
+  if (existsSync2(path)) {
+    rmSync(path);
+  }
+}
+function detectSupabaseProject(explicitProject) {
+  if (explicitProject) {
+    return explicitProject;
+  }
+  const output = runDocker([
+    "ps",
+    "-a",
+    "--format",
+    '{{.Names}}	{{.Label "com.supabase.cli.project"}}'
+  ]);
+  const projects = /* @__PURE__ */ new Set();
+  for (const line of output.split("\n")) {
+    const parts = line.split("	");
+    if (parts.length !== 2) {
+      continue;
+    }
+    const projectId2 = parts[1]?.trim();
+    if (projectId2) {
+      projects.add(projectId2);
+    }
+  }
+  if (projects.size === 0) {
+    throw new Error("No local Supabase CLI containers found. Run `supabase start` first.");
+  }
+  if (projects.size > 1) {
+    throw new Error(
+      `Multiple Supabase projects found: ${Array.from(projects).join(", ")}. Pass --project <id>.`
+    );
+  }
+  const projectId = Array.from(projects)[0];
+  if (!projectId) {
+    throw new Error("Could not detect local Supabase project id.");
+  }
+  return projectId;
+}
+function containerName(prefix, projectId) {
+  return `supabase_${prefix}_${projectId}`;
+}
+function networkName(projectId) {
+  return `supabase_network_${projectId}`;
+}
+async function resolveBranch(branchName) {
+  const requestedBranchName = branchName || getCurrentBranch();
+  if (!requestedBranchName) {
+    throw new Error("No branch specified and no current branch is selected.");
+  }
+  const currentConnectorId = getConfig("currentConnectorId");
+  if (!currentConnectorId) {
+    throw new Error("No connector selected. Run `ardent connector switch` first.");
+  }
+  const result = await api.get(
+    `/v1/cli/branches?connector_id=${encodeURIComponent(currentConnectorId)}`
+  );
+  if (!Array.isArray(result.branches)) {
+    throw new Error("API returned invalid response: missing branches array");
+  }
+  setCacheEntry("branches", result.branches);
+  const branch = result.branches.find((candidate) => candidate.name === requestedBranchName);
+  if (!branch) {
+    const cached = getCacheEntry("branches");
+    const cachedBranch = cached?.data.find((candidate) => candidate.name === requestedBranchName);
+    if (cachedBranch) {
+      return cachedBranch;
+    }
+    throw new Error(`Branch "${requestedBranchName}" not found.`);
+  }
+  if (!branch.branch_url) {
+    throw new Error(`Branch "${branch.name}" does not have a connection URL.`);
+  }
+  return branch;
+}
+function parseBranchUrl(branchUrl) {
+  const parsed = new URL(branchUrl);
+  if (!parsed.hostname || !parsed.username || !parsed.password) {
+    throw new Error("Branch URL is missing host, username, or password.");
+  }
+  return parsed;
+}
+function branchTargetConnectHost(hostname) {
+  if (hostname === "routing.localhost" || hostname.endsWith(".routing.localhost")) {
+    return DOCKER_HOST_GATEWAY;
+  }
+  return hostname;
+}
+function shouldVerifyBranchTargetCertificate(hostname) {
+  return !(hostname === "routing.localhost" || hostname.endsWith(".routing.localhost"));
+}
+function proxyScript() {
+  return String.raw`
+const net = require("net");
+const tls = require("tls");
+
+const listenPort = Number(process.env.LISTEN_PORT || "5432");
+const targetHost = process.env.TARGET_HOST;
+const targetConnectHost = process.env.TARGET_CONNECT_HOST || targetHost;
+const targetPort = Number(process.env.TARGET_PORT || "5432");
+const targetDatabase = process.env.TARGET_DATABASE;
+const rejectUnauthorized = process.env.TARGET_REJECT_UNAUTHORIZED !== "false";
+
+if (!targetHost || !targetDatabase) {
+  throw new Error("TARGET_HOST and TARGET_DATABASE are required");
+}
+
+const SSL_REQUEST = 80877103;
+const AUTH_SASL = 10;
+
+function readCString(buffer, offset) {
+  const end = buffer.indexOf(0, offset);
+  if (end === -1) {
+    throw new Error("Invalid startup packet: unterminated string");
+  }
+  return [buffer.toString("utf8", offset, end), end + 1];
+}
+
+function rewriteStartupPacket(packet) {
+  const length = packet.readInt32BE(0);
+  const protocol = packet.readInt32BE(4);
+  const params = [];
+  let offset = 8;
+
+  while (offset < length - 1) {
+    let key;
+    [key, offset] = readCString(packet, offset);
+    if (!key) {
+      break;
+    }
+    let value;
+    [value, offset] = readCString(packet, offset);
+    if (key === "database" && (value === "postgres" || value === "_supabase")) {
+      value = targetDatabase;
+    }
+    params.push([key, value]);
+  }
+
+  const chunks = [];
+  const header = Buffer.alloc(4);
+  header.writeInt32BE(protocol, 0);
+  chunks.push(header);
+  for (const [key, value] of params) {
+    chunks.push(Buffer.from(key + "\0" + value + "\0", "utf8"));
+  }
+  chunks.push(Buffer.from([0]));
+  const body = Buffer.concat(chunks);
+  const output = Buffer.alloc(4 + body.length);
+  output.writeInt32BE(output.length, 0);
+  body.copy(output, 4);
+  return output;
+}
+
+function filterServerPacket(packet) {
+  if (packet.length < 9 || packet[0] !== 82) {
+    return packet;
+  }
+  const authCode = packet.readInt32BE(5);
+  if (authCode !== AUTH_SASL) {
+    return packet;
+  }
+  const length = packet.readInt32BE(1);
+  const body = packet.subarray(9, 1 + length);
+  const trailing = packet.subarray(1 + length);
+  const mechanisms = body.toString("utf8").split("\0").filter(Boolean);
+  const filtered = mechanisms.filter((mechanism) => mechanism !== "SCRAM-SHA-256-PLUS");
+  if (filtered.length === mechanisms.length) {
+    return packet;
+  }
+  filtered.push("");
+  const newBody = Buffer.from(filtered.join("\0") + "\0", "utf8");
+  const output = Buffer.alloc(1 + 4 + 4 + newBody.length);
+  output[0] = 82;
+  output.writeInt32BE(4 + 4 + newBody.length, 1);
+  output.writeInt32BE(AUTH_SASL, 5);
+  newBody.copy(output, 9);
+  return Buffer.concat([output, trailing]);
+}
+
+function connectUpstream(startupPacket, client) {
+  const socket = net.connect(targetPort, targetConnectHost, () => {
+    const sslRequest = Buffer.alloc(8);
+    sslRequest.writeInt32BE(8, 0);
+    sslRequest.writeInt32BE(SSL_REQUEST, 4);
+    socket.write(sslRequest);
+  });
+
+  socket.once("data", (response) => {
+    if (response[0] !== 83) {
+      client.destroy(new Error("Upstream PostgreSQL server did not accept SSL"));
+      socket.destroy();
+      return;
+    }
+
+    const secureSocket = tls.connect({
+      socket,
+      servername: targetHost,
+      rejectUnauthorized,
+    }, () => {
+      let rewrittenStartupPacket;
+      try {
+        rewrittenStartupPacket = rewriteStartupPacket(startupPacket);
+      } catch {
+        client.destroy();
+        secureSocket.destroy();
+        return;
+      }
+      secureSocket.write(rewrittenStartupPacket);
+    });
+
+    secureSocket.on("data", (chunk) => {
+      client.write(filterServerPacket(chunk));
+    });
+    client.on("data", (chunk) => secureSocket.write(chunk));
+    secureSocket.on("error", () => client.destroy());
+    client.on("error", () => secureSocket.destroy());
+    secureSocket.on("close", () => client.destroy());
+    client.on("close", () => secureSocket.destroy());
+  });
+
+  socket.on("error", () => client.destroy());
+}
+
+const server = net.createServer((client) => {
+  let buffered = Buffer.alloc(0);
+  let sawSslRequest = false;
+
+  client.on("data", function onFirstData(chunk) {
+    buffered = Buffer.concat([buffered, chunk]);
+    if (buffered.length < 8) {
+      return;
+    }
+
+    const length = buffered.readInt32BE(0);
+    const code = buffered.readInt32BE(4);
+    if (!sawSslRequest && length === 8 && code === SSL_REQUEST) {
+      client.write("N");
+      buffered = buffered.subarray(8);
+      sawSslRequest = true;
+      if (buffered.length < 8) {
+        return;
+      }
+    }
+
+    const startupLength = buffered.readInt32BE(0);
+    if (buffered.length < startupLength) {
+      return;
+    }
+
+    client.off("data", onFirstData);
+    try {
+      const startupPacket = buffered.subarray(0, startupLength);
+      const remainder = buffered.subarray(startupLength);
+      connectUpstream(startupPacket, client);
+      if (remainder.length > 0) {
+        client.unshift(remainder);
+      }
+    } catch {
+      client.destroy();
+    }
+  });
+});
+
+server.listen(listenPort, "0.0.0.0", () => {
+  console.log(JSON.stringify({ event: "listening", listenPort, targetHost, targetConnectHost, targetDatabase }));
+});
+`;
+}
+function writeProxyScript(projectId) {
+  const scriptPath = join2(STATE_DIR, projectId, "proxy.js");
+  mkdirSync2(dirname(scriptPath), { recursive: true });
+  writeFileSync2(scriptPath, proxyScript());
+  return scriptPath;
+}
+function serviceEnvForBranch(servicePrefix, env, dbContainer, branchUser, branchPassword) {
+  const localDbUri = (role) => `postgresql://${encodeURIComponent(role)}:${encodeURIComponent(branchPassword)}@${dbContainer}:5432/postgres?sslmode=disable`;
+  return env.map((entry) => {
+    if (servicePrefix === "rest" && entry.startsWith("PGRST_DB_URI=")) {
+      return `PGRST_DB_URI=${localDbUri("authenticator")}`;
+    }
+    if (servicePrefix === "auth" && entry.startsWith("GOTRUE_DB_DATABASE_URL=")) {
+      return `GOTRUE_DB_DATABASE_URL=${localDbUri("supabase_auth_admin")}`;
+    }
+    if (servicePrefix === "storage" && entry.startsWith("DATABASE_URL=")) {
+      return `DATABASE_URL=${localDbUri("supabase_storage_admin")}`;
+    }
+    if (servicePrefix === "realtime") {
+      if (entry.startsWith("DB_HOST=")) {
+        return `DB_HOST=${dbContainer}`;
+      }
+      if (entry.startsWith("DB_NAME=")) {
+        return "DB_NAME=postgres";
+      }
+      if (entry.startsWith("DB_USER=")) {
+        return "DB_USER=supabase_admin";
+      }
+      if (entry.startsWith("DB_PASSWORD=")) {
+        return `DB_PASSWORD=${branchPassword}`;
+      }
+      if (entry.startsWith("DB_PORT=")) {
+        return "DB_PORT=5432";
+      }
+    }
+    if (servicePrefix === "pg_meta") {
+      if (entry.startsWith("PG_META_DB_HOST=")) {
+        return `PG_META_DB_HOST=${dbContainer}`;
+      }
+      if (entry.startsWith("PG_META_DB_NAME=")) {
+        return "PG_META_DB_NAME=postgres";
+      }
+      if (entry.startsWith("PG_META_DB_USER=")) {
+        return `PG_META_DB_USER=${branchUser}`;
+      }
+      if (entry.startsWith("PG_META_DB_PASSWORD=")) {
+        return `PG_META_DB_PASSWORD=${branchPassword}`;
+      }
+      if (entry.startsWith("PG_META_DB_PORT=")) {
+        return "PG_META_DB_PORT=5432";
+      }
+    }
+    return entry;
+  });
+}
+function mountArgs(mounts) {
+  const args2 = [];
+  for (const mount of mounts) {
+    if (!mount.Source || !mount.Target) {
+      continue;
+    }
+    const readonly = mount.ReadOnly ? ",readonly" : "";
+    args2.push(
+      "--mount",
+      `type=${mount.Type},source=${mount.Source},target=${mount.Target}${readonly}`
+    );
+  }
+  return args2;
+}
+function portPublishArgs(container) {
+  const args2 = [];
+  const ports = container.NetworkSettings.Ports ?? {};
+  for (const [containerPort, bindings] of Object.entries(ports)) {
+    if (!bindings) {
+      continue;
+    }
+    for (const binding of bindings) {
+      if (!binding.HostPort) {
+        continue;
+      }
+      const hostPrefix = binding.HostIp ? `${binding.HostIp}:` : "";
+      args2.push("-p", `${hostPrefix}${binding.HostPort}:${containerPort}`);
+    }
+  }
+  return args2;
+}
+function containerAliases(container, network, fallback) {
+  const aliases = container.NetworkSettings.Networks[network]?.Aliases ?? [];
+  const cleanAliases = aliases.filter((alias) => alias && alias !== container.Name.replace(/^\//, ""));
+  return cleanAliases.length > 0 ? cleanAliases : [fallback];
+}
+function imageCommandArgs(image, entrypoint, command) {
+  const args2 = [];
+  if (entrypoint && entrypoint.length > 0) {
+    args2.push("--entrypoint", entrypoint[0]);
+  }
+  args2.push(image);
+  if (entrypoint && entrypoint.length > 1) {
+    args2.push(...entrypoint.slice(1));
+  }
+  if (command) {
+    args2.push(...command);
+  }
+  return args2;
+}
+function recreateServiceForBranch(servicePrefix, projectId, network, dbContainer, branchUser, branchPassword) {
+  const name = containerName(servicePrefix, projectId);
+  if (!dockerExists(name)) {
+    return void 0;
+  }
+  const originalName = `${name}${ORIGINAL_SUFFIX}`;
+  if (dockerExists(originalName)) {
+    throw new Error(`Refusing to overwrite existing backup container ${originalName}. Run unlink first.`);
+  }
+  const container = inspectContainer(name);
+  const aliases = containerAliases(container, network, servicePrefix.replace("pg_meta", "meta"));
+  const env = serviceEnvForBranch(
+    servicePrefix,
+    container.Config.Env ?? [],
+    dbContainer,
+    branchUser,
+    branchPassword
+  );
+  runDocker(["stop", name]);
+  runDocker(["rename", name, originalName]);
+  const args2 = ["run", "-d", "--name", name, "--network", network];
+  for (const alias of aliases) {
+    args2.push("--network-alias", alias);
+  }
+  for (const envValue of env) {
+    args2.push("-e", envValue);
+  }
+  if (container.Config.User) {
+    args2.push("--user", container.Config.User);
+  }
+  if (container.Config.WorkingDir) {
+    args2.push("--workdir", container.Config.WorkingDir);
+  }
+  args2.push(...mountArgs(container.Mounts));
+  args2.push(
+    ...imageCommandArgs(container.Config.Image, container.Config.Entrypoint, container.Config.Cmd)
+  );
+  runDocker(args2);
+  return { name, originalName };
+}
+function startProxyContainer(projectId, network, dbContainer, parsedBranchUrl, portBindings) {
+  const scriptPath = writeProxyScript(projectId);
+  const targetDatabase = parsedBranchUrl.pathname.replace(/^\//, "") || "postgres";
+  const targetPort = parsedBranchUrl.port || "5432";
+  const targetConnectHost = branchTargetConnectHost(parsedBranchUrl.hostname);
+  const rejectUnauthorized = shouldVerifyBranchTargetCertificate(parsedBranchUrl.hostname);
+  const args2 = [
+    "run",
+    "-d",
+    "--name",
+    dbContainer,
+    "--network",
+    network,
+    "--network-alias",
+    "db",
+    "--network-alias",
+    "db.supabase.internal"
+  ];
+  if (targetConnectHost === DOCKER_HOST_GATEWAY) {
+    args2.push("--add-host", `${DOCKER_HOST_GATEWAY}:host-gateway`);
+  }
+  args2.push(...portBindings);
+  args2.push(
+    "-v",
+    `${scriptPath}:/proxy.js:ro`,
+    "-e",
+    `TARGET_HOST=${parsedBranchUrl.hostname}`,
+    "-e",
+    `TARGET_CONNECT_HOST=${targetConnectHost}`,
+    "-e",
+    `TARGET_PORT=${targetPort}`,
+    "-e",
+    `TARGET_DATABASE=${targetDatabase}`,
+    "-e",
+    `TARGET_REJECT_UNAUTHORIZED=${String(rejectUnauthorized)}`,
+    "-e",
+    "LISTEN_PORT=5432",
+    "node:22-alpine",
+    "node",
+    "/proxy.js"
+  );
+  runDocker(args2);
+}
+function dumpLocalStorageMigrations(dbContainer) {
+  return runDocker([
+    "exec",
+    dbContainer,
+    "pg_dump",
+    "-U",
+    "postgres",
+    "-d",
+    "postgres",
+    "--data-only",
+    "--table=storage.migrations",
+    "--column-inserts",
+    "--no-owner",
+    "--no-privileges"
+  ]);
+}
+function storageMigrationsImportSql(dumpSql) {
+  const tempTable = "pg_temp.ardent_storage_migrations_import";
+  const tempDumpSql = dumpSql.replaceAll("INSERT INTO storage.migrations", `INSERT INTO ${tempTable}`);
+  return `
+BEGIN;
+CREATE TEMP TABLE ardent_storage_migrations_import (LIKE storage.migrations INCLUDING DEFAULTS);
+${tempDumpSql}
+INSERT INTO storage.migrations
+SELECT * FROM ${tempTable}
+ON CONFLICT DO NOTHING;
+COMMIT;
+`;
+}
+function waitForOriginalDb(containerName2) {
+  const deadline = Date.now() + 3e4;
+  while (Date.now() < deadline) {
+    try {
+      runDocker(["exec", containerName2, "pg_isready", "-U", "postgres", "-d", "postgres"]);
+      return;
+    } catch {
+      execFileSync("sleep", ["1"]);
+    }
+  }
+  throw new Error(`Timed out waiting for ${containerName2} to accept local PostgreSQL connections.`);
+}
+function copyLocalStorageMigrationsToBranch(dumpSql, originalDbContainer, dbContainer, network, branchUser, branchPassword) {
+  runDocker(["start", originalDbContainer]);
+  try {
+    waitForOriginalDb(originalDbContainer);
+    const dbContainerIpAddress = containerIpAddress(dbContainer, network);
+    runDockerWithInput(
+      [
+        "exec",
+        "-i",
+        "-e",
+        `PGPASSWORD=${branchPassword}`,
+        originalDbContainer,
+        "psql",
+        "-h",
+        dbContainerIpAddress,
+        "-p",
+        "5432",
+        "-U",
+        branchUser,
+        "-d",
+        "postgres",
+        "-v",
+        "ON_ERROR_STOP=1"
+      ],
+      storageMigrationsImportSql(dumpSql)
+    );
+  } finally {
+    runDocker(["stop", originalDbContainer]);
+  }
+}
+function supabaseRealtimeCompatibilitySql() {
+  return String.raw`
+SET lock_timeout = '2s';
+SET statement_timeout = '5s';
+
+ALTER SCHEMA realtime OWNER TO supabase_admin;
+GRANT ALL PRIVILEGES ON SCHEMA realtime TO supabase_realtime_admin;
+
+CREATE OR REPLACE FUNCTION realtime.list_changes(
+  publication name,
+  slot_name name,
+  max_changes int,
+  max_record_bytes int
+)
+RETURNS SETOF realtime.wal_rls
+LANGUAGE sql
+AS $$
+  WITH pub AS (
+    SELECT
+      concat_ws(
+        ',',
+        CASE WHEN bool_or(pubinsert) THEN 'insert' ELSE NULL END,
+        CASE WHEN bool_or(pubupdate) THEN 'update' ELSE NULL END,
+        CASE WHEN bool_or(pubdelete) THEN 'delete' ELSE NULL END
+      ) AS w2j_actions,
+      coalesce(
+        string_agg(
+          realtime.quote_wal2json(format('%I.%I', schemaname, tablename)::regclass),
+          ','
+        ) FILTER (WHERE ppt.tablename IS NOT NULL AND ppt.tablename NOT LIKE '% %'),
+        ''
+      ) AS w2j_add_tables
+    FROM pg_publication pp
+    LEFT JOIN pg_publication_tables ppt
+      ON pp.pubname = ppt.pubname
+    WHERE pp.pubname = publication
+    GROUP BY pp.pubname
+    LIMIT 1
+  ),
+  w2j AS (
+    SELECT
+      x.*,
+      pub.w2j_add_tables
+    FROM pub,
+    pg_logical_slot_get_changes(
+      slot_name,
+      NULL,
+      max_changes,
+      'include-pk', 'true',
+      'include-transaction', 'false',
+      'include-timestamp', 'true',
+      'include-type-oids', 'true',
+      'format-version', '2',
+      'actions', pub.w2j_actions,
+      'add-tables', pub.w2j_add_tables
+    ) x
+  )
+  SELECT
+    xyz.wal,
+    xyz.is_rls_enabled,
+    xyz.subscription_ids,
+    xyz.errors
+  FROM w2j,
+  realtime.apply_rls(
+    wal := w2j.data::jsonb,
+    max_record_bytes := max_record_bytes
+  ) xyz(wal, is_rls_enabled, subscription_ids, errors)
+  WHERE w2j.w2j_add_tables <> ''
+    AND xyz.subscription_ids[1] IS NOT NULL
+$$;
+
+ALTER FUNCTION realtime.list_changes(name, name, int, int) OWNER TO supabase_realtime_admin;
+GRANT EXECUTE ON FUNCTION realtime.list_changes(name, name, int, int)
+  TO supabase_admin, supabase_realtime_admin;
+
+INSERT INTO realtime.schema_migrations (version, inserted_at)
+VALUES (${REALTIME_LIST_CHANGES_MIGRATION_VERSION}, now())
+ON CONFLICT (version) DO NOTHING;
+`;
+}
+function applySupabaseRealtimeCompatibility(projectId, originalDbContainer, dbContainer, network, branchPassword) {
+  const realtimeContainer = containerName("realtime", projectId);
+  if (!dockerExists(realtimeContainer)) {
+    return;
+  }
+  runDocker(["start", originalDbContainer]);
+  try {
+    waitForOriginalDb(originalDbContainer);
+    const dbContainerIpAddress = containerIpAddress(dbContainer, network);
+    const deadline = Date.now() + 6e4;
+    let lastError = "";
+    while (Date.now() < deadline) {
+      try {
+        runDockerWithInput(
+          [
+            "exec",
+            "-i",
+            "-e",
+            `PGPASSWORD=${branchPassword}`,
+            originalDbContainer,
+            "psql",
+            "-h",
+            dbContainerIpAddress,
+            "-p",
+            "5432",
+            "-U",
+            "supabase_admin",
+            "-d",
+            "postgres",
+            "-v",
+            "ON_ERROR_STOP=1"
+          ],
+          supabaseRealtimeCompatibilitySql(),
+          { timeoutMs: 7e3 }
+        );
+        runDocker(["restart", realtimeContainer]);
+        return;
+      } catch (error) {
+        lastError = error instanceof Error ? error.message : String(error);
+        execFileSync("sleep", ["1"]);
+      }
+    }
+    throw new Error(`Timed out applying Supabase Realtime compatibility: ${lastError}`);
+  } finally {
+    runDocker(["stop", originalDbContainer]);
+  }
+}
+function kongApiUrl(projectId) {
+  const kong = containerName("kong", projectId);
+  if (!dockerExists(kong)) {
+    return void 0;
+  }
+  const output = runDocker(["port", kong, "8000/tcp"]);
+  const first = output.split("\n")[0];
+  const port = first?.split(":").pop();
+  return port ? `http://127.0.0.1:${port}` : void 0;
+}
+async function waitForHealth(projectId) {
+  const apiUrl = kongApiUrl(projectId);
+  if (!apiUrl) {
+    return;
+  }
+  const deadline = Date.now() + 6e4;
+  let lastError = "";
+  while (Date.now() < deadline) {
+    try {
+      const authResponse = await fetch(`${apiUrl}/auth/v1/health`);
+      const restResponse = await fetch(`${apiUrl}/rest/v1/`);
+      if (authResponse.ok && restResponse.ok) {
+        return;
+      }
+      lastError = `auth=${authResponse.status}, rest=${restResponse.status}`;
+    } catch (error) {
+      lastError = error instanceof Error ? error.message : String(error);
+    }
+    await new Promise((resolve) => setTimeout(resolve, 2e3));
+  }
+  throw new Error(`Supabase health checks did not pass: ${lastError}`);
+}
+function restoreOriginalContainer(name, originalName) {
+  if (dockerExists(name)) {
+    runDocker(["rm", "-f", name]);
+  }
+  if (dockerExists(originalName)) {
+    runDocker(["rename", originalName, name]);
+    runDocker(["start", name]);
+  }
+}
+function rollbackPartialLink(projectId, dbContainer, originalDbContainer, services) {
+  for (const service of services.reverse()) {
+    restoreOriginalContainer(service.name, service.originalName);
+  }
+  restoreOriginalContainer(dbContainer, originalDbContainer);
+  deleteState(projectId);
+}
+async function statusSupabaseAction(options = {}) {
+  try {
+    const projectId = detectSupabaseProject(options.project);
+    const state = readState(projectId);
+    console.log(`Supabase project: ${projectId}`);
+    if (!state) {
+      console.log("Status: not linked");
+      return;
+    }
+    console.log("Status: linked");
+    console.log(`Branch: ${state.branchName}`);
+    console.log(`Linked at: ${new Date(state.linkedAt).toLocaleString()}`);
+    console.log(`DB container: ${state.dbContainer}`);
+  } catch (error) {
+    console.error("\u2717 Failed:", error instanceof Error ? error.message : error);
+    process.exit(1);
+  }
+}
+async function linkSupabaseAction(branchName, options = {}) {
+  let projectId = "";
+  let dbContainer = "";
+  let originalDbContainer = "";
+  const createdServices = [];
+  try {
+    projectId = detectSupabaseProject(options.project);
+    if (readState(projectId)) {
+      throw new Error(`Supabase project ${projectId} is already linked. Run unlink first.`);
+    }
+    const branch = await resolveBranch(branchName);
+    const parsedBranchUrl = parseBranchUrl(branch.branch_url);
+    const branchUser = decodeURIComponent(parsedBranchUrl.username);
+    const branchPassword = decodeURIComponent(parsedBranchUrl.password);
+    dbContainer = containerName("db", projectId);
+    originalDbContainer = `${dbContainer}${ORIGINAL_SUFFIX}`;
+    const network = networkName(projectId);
+    if (!dockerExists(dbContainer)) {
+      throw new Error(`Local Supabase DB container not found: ${dbContainer}`);
+    }
+    if (dockerExists(originalDbContainer)) {
+      throw new Error(`Backup DB container already exists: ${originalDbContainer}. Run unlink first.`);
+    }
+    console.log(`Linking Supabase project ${projectId} to branch ${branch.name}...`);
+    const storageMigrationsDump = dumpLocalStorageMigrations(dbContainer);
+    const originalDbContainerState = inspectContainer(dbContainer);
+    const dbPortBindings = portPublishArgs(originalDbContainerState);
+    runDocker(["stop", dbContainer]);
+    runDocker(["rename", dbContainer, originalDbContainer]);
+    startProxyContainer(projectId, network, dbContainer, parsedBranchUrl, []);
+    copyLocalStorageMigrationsToBranch(
+      storageMigrationsDump,
+      originalDbContainer,
+      dbContainer,
+      network,
+      branchUser,
+      branchPassword
+    );
+    for (const servicePrefix of SERVICE_SUFFIXES) {
+      const service = recreateServiceForBranch(
+        servicePrefix,
+        projectId,
+        network,
+        dbContainer,
+        branchUser,
+        branchPassword
+      );
+      if (service) {
+        createdServices.push(service);
+      }
+    }
+    applySupabaseRealtimeCompatibility(
+      projectId,
+      originalDbContainer,
+      dbContainer,
+      network,
+      branchPassword
+    );
+    runDocker(["rm", "-f", dbContainer]);
+    startProxyContainer(projectId, network, dbContainer, parsedBranchUrl, dbPortBindings);
+    const kong = containerName("kong", projectId);
+    if (dockerExists(kong)) {
+      runDocker(["restart", kong]);
+    }
+    const state = {
+      version: 1,
+      projectId,
+      network,
+      branchName: branch.name,
+      linkedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      dbContainer,
+      originalDbContainer,
+      services: createdServices
+    };
+    if (!options.skipHealthCheck) {
+      await waitForHealth(projectId);
+    }
+    writeState(state);
+    console.log("\u2713 Local Supabase is linked to the branch");
+    trackEvent("CLI: settings supabase link succeeded");
+  } catch (error) {
+    if (projectId) {
+      const state = readState(projectId);
+      if (!state && dbContainer && originalDbContainer) {
+        rollbackPartialLink(projectId, dbContainer, originalDbContainer, createdServices);
+      }
+    }
+    trackEvent("CLI: settings supabase link failed");
+    console.error("\u2717 Failed:", error instanceof Error ? error.message : error);
+    process.exit(1);
+  }
+}
+async function unlinkSupabaseAction(options = {}) {
+  try {
+    const projectId = detectSupabaseProject(options.project);
+    const state = readState(projectId);
+    if (!state) {
+      console.log(`Supabase project ${projectId} is not linked`);
+      return;
+    }
+    console.log(`Unlinking Supabase project ${projectId}...`);
+    restoreOriginalContainer(state.dbContainer, state.originalDbContainer);
+    for (const service of state.services) {
+      restoreOriginalContainer(service.name, service.originalName);
+    }
+    const kong = containerName("kong", projectId);
+    if (dockerExists(kong)) {
+      runDocker(["restart", kong]);
+    }
+    deleteState(projectId);
+    if (!options.skipHealthCheck) {
+      await waitForHealth(projectId);
+    }
+    console.log("\u2713 Local Supabase restored to its local database");
+    trackEvent("CLI: settings supabase unlink succeeded");
+  } catch (error) {
+    trackEvent("CLI: settings supabase unlink failed");
+    console.error("\u2717 Failed:", error instanceof Error ? error.message : error);
+    process.exit(1);
+  }
+}
+
 // src/commands/settings/index.ts
 var settingsCommand = new Command6("settings").description("Manage settings for the current connector").showHelpAfterError("(run 'ardent settings --help' for valid keys)");
 settingsCommand.command("list").description("List current settings for the connector").action(listAction5);
@@ -2869,6 +3892,11 @@ settingsCommand.command("set <key> <value>").description(
   "Set a setting. Keys: default_db, branch_sql. For branch_sql, prefix value with @ to read from file."
 ).action(setAction);
 settingsCommand.command("remove <key>").description("Remove a setting. Keys: default_db, branch_sql.").action(removeAction2);
+var supabaseSettingsCommand = new Command6("supabase").description("Link local Supabase to an Ardent branch");
+supabaseSettingsCommand.command("status").description("Show local Supabase link status").option("--project <project>", "Supabase CLI project id").action(statusSupabaseAction);
+supabaseSettingsCommand.command("link [branch]").description("Point local Supabase at an Ardent branch").option("--project <project>", "Supabase CLI project id").option("--skip-health-check", "Skip Supabase API health checks after linking").action(linkSupabaseAction);
+supabaseSettingsCommand.command("unlink").description("Restore local Supabase to its local database").option("--project <project>", "Supabase CLI project id").option("--skip-health-check", "Skip Supabase API health checks after unlinking").action(unlinkSupabaseAction);
+settingsCommand.addCommand(supabaseSettingsCommand);
 
 // src/commands/auth/index.ts
 import { Command as Command7 } from "commander";
@@ -3060,16 +4088,16 @@ var logoutCommand = new Command7("logout").description("Logout from Ardent").act
 var statusCommand = new Command7("status").description("Show status").action(statusAction);
 
 // src/lib/update-check.ts
-import { existsSync as existsSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
-import { join as join2 } from "path";
-import { homedir as homedir2 } from "os";
-var UPDATE_CHECK_FILE = join2(homedir2(), ".ardent", "update-check.json");
+import { existsSync as existsSync3, readFileSync as readFileSync6, writeFileSync as writeFileSync3 } from "fs";
+import { join as join3 } from "path";
+import { homedir as homedir3 } from "os";
+var UPDATE_CHECK_FILE = join3(homedir3(), ".ardent", "update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
 var PACKAGE_NAME = "ardent-cli";
 function loadCache() {
   try {
-    if (existsSync2(UPDATE_CHECK_FILE)) {
-      return JSON.parse(readFileSync5(UPDATE_CHECK_FILE, "utf-8"));
+    if (existsSync3(UPDATE_CHECK_FILE)) {
+      return JSON.parse(readFileSync6(UPDATE_CHECK_FILE, "utf-8"));
     }
   } catch {
   }
@@ -3081,7 +4109,7 @@ function saveCache(latestVersion) {
       latest_version: latestVersion,
       checked_at: (/* @__PURE__ */ new Date()).toISOString()
     };
-    writeFileSync2(UPDATE_CHECK_FILE, JSON.stringify(data));
+    writeFileSync3(UPDATE_CHECK_FILE, JSON.stringify(data));
   } catch {
   }
 }
@@ -3168,6 +4196,7 @@ SETTINGS
   settings list          List current settings for the connector
   settings set           Set a setting (e.g. default_db testdb)
   settings remove        Remove a setting
+  settings supabase      Link local Supabase to the current branch
 
 TEAM
   invite <email>         Invite a user to your organization

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ardent-cli",
-  "version": "0.0.35",
+  "version": "0.0.37",
   "description": "Git for Data infrastructure",
   "type": "module",
   "bin": {